JWT authentication with Spring Web - Part 1

JSON Web Tokens (JWTs) are signed tokens issued by a server that it can use to verify a claim made by a client. This blog post is the first in a series where I implement authentication based on JWT in a Spring Web application with an Angular JS front end.

What is JWT?

A JWT contains 3 parts - a header, a payload and a signature. A JWT can in turn be represented as a JWS or JWE. JWS stands for JSON Web Signature as defined in RFC 7515 and JWE stands for JSON Web Encryption defined by RFC 7516. In a JWS, the payload being sent is not encrypted, whereas it is encrypted in a JWE1. This blog post will deal only with JWS.

Structure of a JWT

The signature itself is generated by signing the header and payload with a key, for example using the HMAC-SHA256 algorithm:

HMASHA256(base64(header) + "." + base64(payload), key)

A JWT header is a JSON object that typically has the following values:

alg - The algorithm used for signing the token.

typ - This optional parameter, set to JWT declares this JSON object as a JWT.

An example JWT header when the algorithm used is HMA-SHA256:

{
"alg": "HM256",
"typ": "JWT"
}

A JWT payload contains a series of claims. There is an IANA “JSON Web Token Claims” registry that has a number of claim names reserved for specific purposes. Applications are free to use any other names, except these for their claims. Claim names that are important include exp that represents the expiration time on or after which the JWT MUST NOT be accepted for processing. The following payload sets issuer, expiry date and a username.

I have been implementing the JWT RFC to learn about it and it was fairly straight forward. I did the token generation part and did not finish the token verification part. The code for that exercise can be found here. A more complete implementation of the RFC for the JVM is jjwt and the rest of the series will be using that implementation. The JWT website has a debugger that allows for creation and verification of tokens.

A detailed explanation of the differences between JWS and JWE can be found here.
[return]

If you have questions or comments about this blog post, you can get in touch with me on Twitter @sdqali.